zfs_allow(1m) - delegates ZFS file system administration permission to non-privileged users
-
System Administration Commands zfs_allow(1M) NAME zfs_allow - delegates ZFS file system administration permission to non- privileged users SYNOPSIS zfs help subcommand | help | property property-name | permission zfs help -l properties zfs allow filesystem|volume zfs allow [-ldug] everyone|user|group[,...] perm|@setname[,...] filesystem|volume zfs allow [-ld] -e perm|@setname[,...] filesystem|volume zfs allow -c perm|@setname[,...] filesystem|volume zfs allow -s @setname perm|@setname[,...] filesystem|volume zfs unallow [-rldug] everyone|user|group[,...] [perm|@setname[,... ]] filesystem|volume zfs unallow [-rld] -e [perm|@setname[,... ]] filesystem|volume zfs unallow [-r] -c [perm|@setname[ ... ]] filesystem|volume zfs unallow [-r] -s @setname [perm|@setname[,... ]] filesystem|volume DESCRIPTION The zfs allow command can be used to delegate permissions to non-privi- leged users for administering ZFS file systems in a ZFS storage pool, as described in zpool(1M). You can use the zfs unallow command to revoke administrative permissions. Permissions are generally the ability to use a ZFS subcommand or change a ZFS property. The following permissions are available: # zfs help permissions The following delegated permissions are supported: NAME TYPE NOTES allow subcommand Must also have the permission that is being allowed clone subcommand Must also have the 'create' ability and 'mount' ability in the origin file system create subcommand Must also have the 'mount' ability destroy subcommand Must also have the 'mount' ability diff subcommand Allows lookup of paths within a dataset, given an object number. Ordinary users need this in order to use zfs diff hold subcommand Allows adding a user hold to a snapshot mount subcommand Allows mount/umount of ZFS datasets promote subcommand Must also have the 'mount' and 'promote' ability in the origin file system receive subcommand Must also have the 'mount' and 'create' ability release subcommand Allows releasing a user hold which might destroy the snapshot rename subcommand Must also have the 'mount' and 'create' ability in the new parent rollback subcommand Allows rolling back datasets to previously-taken snapshots send subcommand Allows sending of snapshots share subcommand Allows sharing file systems over NFS or SMB protocols snapshot subcommand Allows taking of snapshots groupquota other Allows accessing any groupquota@... property groupused other Allows reading any groupused@... property key other Allows load/unload of dataset key keychange other Allows key change operations userprop other Allows changing any user property userquota other Allows accessing any userquota@... property userused other Allows reading any userused@... property The following properties can have delegated permissions applied: aclinherit aclmode atime canmount casesensitivity checksum compression copies dedup devices encryption exec keysource logbias mountpoint multilevel nbmand normalization primarycache quota readonly recordsize refquota refreservation reservation rstchown secondarycache setuid shadow sharenfs sharesmb snapdir sync utf8only version volblocksize volsize vscan xattr zoned SUBCOMMANDS All subcommands that modify state are logged persistently to the pool in their original form. zfs ? Displays a help message. zfs help command | help | property property-name | permission Displays zfs command usage information. You can display help for a specific command, property, or delegated permission. If you display help for a specific command or property, the command syntax or property value is displayed. Using zfs help without any arguments displays a complete list of zfs commands. zfs help -l properties Displays zfs property information, including whether the property value is editable and inheritable, and their possible values. zfs allow filesystem | volume Displays permissions that have been delegated on the specified filesystem or volume. See the other forms of zfs allow for more information. zfs allow [-ldug] everyone|user|group[,...] perm|@setname[,...] filesystem| volume zfs allow [-ld] -e perm|@setname[,...] filesystem | volume Delegates ZFS administration permission for the file systems to non-privileged users. [-ug] everyone|user|group[,...] Specifies to whom the permissions are delegated. Multiple enti- ties can be specified as a comma-separated list. If neither of the -ug options are specified, then the argument is interpreted preferentially as the keyword everyone, then as a user name, and lastly as a group name. To specify a user or group named "everyone", use the -u or -g options. To specify a group with the same name as a user, use the -g options. [-e] perm|@setname[,...] Specifies that the permissions be delegated to everyone. Multi- ple permissions may be specified as a comma-separated list. Permission names are the same as ZFS subcommand and property names. See the property list below. Property set names, which begin with an at sign (@) , may be specified. See the -s form below for details. [-ld] filesystem|volume Specifies where the permissions are delegated. If neither of the -ld options are specified, or both are, then the permis- sions are allowed for the file system or volume, and all of its descendents. If only the -l option is used, then is allowed "locally" only for the specified file system. If only the -d option is used, then is allowed only for the descendent file systems. zfs allow -c perm|@setname[,...] filesystem|volume Sets "create time" permissions. These permissions are granted (locally) to the creator of any newly-created descendent file sys- tem. zfs allow -s @setname perm|@setname[,...] filesystem|volume Defines or adds permissions to a permission set. The set can be used by other zfs allow commands for the specified file system and its descendents. Sets are evaluated dynamically, so changes to a set are immediately reflected. Permission sets follow the same nam- ing restrictions as ZFS file systems, but the name must begin with an "at sign" (@), and can be no more than 64 characters long. zfs unallow [-rldug] everyone|user|group[,...] [perm|@setname[, ...]] filesystem|volume zfs unallow [-rld] -e [perm|@setname [,...]] filesystem|volume zfs unallow [-r] -c [perm|@setname[,...]] filesystem|volume Removes permissions that were granted with the zfs allow command. No permissions are explicitly denied, so other permissions granted are still in effect. For example, if the permission is granted by an ancestor. If no permissions are specified, then all permissions for the specified user, group, or everyone are removed. Specifying everyone (or using the -e option) only removes the permissions that were granted to everyone, not all permissions for every user and group. See the zfs allow command for a description of the -ldugec options. -r Recursively remove the permissions from this file system and all descendents. zfs unallow [-r] -s @setname [perm|@setname[,...]] filesystem|volume Removes permissions from a permission set. If no permissions are specified, then all permissions are removed, thus removing the set entirely. EXAMPLES Example 1 Delegating ZFS Administration Permissions on a ZFS Dataset The following example shows how to set permissions so that user anne can create, destroy, mount, and take snapshots on pool/home/anne. The permissions on pool/home/anne are also displayed. # zfs allow anne create,destroy,mount,snapshot pool/home/anne # zfs allow pool/home/anne ---- Permissions on pool/home/anne ----------------------------------- Local+Descendent permissions: user anne create,destroy,mount,snapshot Because the pool/home/anne mount point permission is set to 755 by default, user anne will be unable to mount file systems under pool/home/anne. Set an ACL similar to the following syntax to provide mount point access: # chmod A+user:anne:add_subdirectory:allow /pool/home/anne Example 2 Delegating Create Time Permissions on a ZFS Dataset The following example shows how to grant anyone in the group staff to create file systems in pool/home. This syntax also allows staff members to destroy their own file systems, but not destroy anyone else's file system. The permissions on pool/home are also displayed. # zfs allow staff create,mount pool/home # zfs allow -c destroy pool/home # zfs allow pool/home ---- Permissions on pool/home ---------------------------------------- Create time permissions: destroy Local+Descendent permissions: group staff create,mount Example 3 Defining and Granting a Permission Set on a ZFS Dataset The following example shows how to define and grant a permission set on the pool/home file system. The permissions on pool/home are also dis- played. # zfs allow -s @pset create,destroy,snapshot,mount pool/home # zfs allow staff @pset pool/home # zfs allow pool/home ---- Permissions on pool/home ---------------------------------------- Permission sets: @pset create,destroy,mount,snapshot Create time permissions: destroy Local+Descendent permissions: group staff @pset,create,mount Example 4 Delegating Property Permissions on a ZFS Dataset The following example shows to grant the ability to set quotas and reservations on the tank/users file system. The permissions on tank/users are also displayed. # zfs allow mark quota,reservation tank/users # zfs allow tank/users ---- Permissions on tank/users --------------------------------------- Local+Descendent permissions: user mark quota,reservation mark% zfs set quota=10G tank/users/tim mark% zfs get quota tank/users/tim NAME PROPERTY VALUE SOURCE tank/users/tim quota 10G local Example 5 Removing ZFS Delegated Permissions on a ZFS Dataset The following example shows how to remove the snapshot permission from the @pset permission set for the staff group on the pool/home file sys- tem. The permissions on pool/home are also displayed. # zfs unallow -s @pset snapshot pool/home # zfs allow pool/home ---- Permissions on pool/home ---------------------------------------- Permission sets: @pset create,destroy,mount Create time permissions: destroy Local+Descendent permissions: group staff @pset,create,mount EXIT STATUS The following exit values are returned: 0 Successful completion. 1 An error occurred. 2 Invalid command line options were specified. ATTRIBUTES See attributes(5) for descriptions of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +-----------------------------+-----------------------------+ |Availability |system/file-system/zfs | +-----------------------------+-----------------------------+ |Interface Stability |Committed | +-----------------------------+-----------------------------+ SEE ALSO zfs(1M), zpool(1M), chmod(2), chown(2), attributes(5) For information about using other ZFS features, see zfs_encrypt.1m, zfs_share.1m, zfs(1M) and the Managing ZFS File Systems in Oracle Solaris 11.3. SunOS 5.11 23 Jul 2015 zfs_allow(1M)
© Lightnetics 2024